• Stars
    star
    295
  • Rank 140,902 (Top 3 %)
  • Language
    Shell
  • License
    GNU General Publi...
  • Created about 6 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pattern Extractor for Obfuscated Code

Build Status Actively Maintained

Fnord

Fnord is a pattern extractor for obfuscated code

Description

Fnord has two main functions:

  1. Extract byte sequences and create some statistics
  2. Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule

1. Statistics

Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40). For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table.

Each line in the table contains:

  • Length
  • Number of occurrences
  • Sequence (string)
  • Formatted (ascii/wide/hex)
  • Hex encoded form
  • Entropy

2. YARA Rule Creation

Fnord also generates an experimental YARA rule. During YARA rule creation it will calculate a score based in the length of the sequence and the number of occurrences (length * occurrences). It will then process each sequences by removing all non-letter characters and comparing them with a list of keywords (case-insensitive) to detect sequences that are more interesting than others. Before writing each string to the rule Fnord calculates a Levenshtein distance and skips sequences that are too similar to sequences that have already been integrated in the rule.

Status

[Experimental] Fnord was created a few days ago and I have tested it with a handful of samples. My guess is that I'll adjust the defaults in the coming weeks and add some more keywords, filters, scoring options.

Improve the Results

If you've found obfuscated code in a sample, use a hex editor to extract the obfuscated section of the sample and save to a new file. Use that new file for the analysis.

Play with the flags -s, -k, -r, --yara-strings, -mand-e`.

Please send me samples that produce weak YARA rules that could be better.

Usage

        ____                 __
       / __/__  ___  _______/ /
      / _// _ \/ _ \/ __/ _  /
     /_/ /_//_/\___/_/  \_,_/ Pattern Extractor for Obfuscated Code
     v0.7, Florian Roth

    usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
                    [-e min-entropy] [--strings] [--include-padding] [--debug]
                    [--noyara] [-s similarity] [-k keywords-multiplier]
                    [-r structure-multiplier] [-c count-limiter] [--yara-exact]
                    [--yara-strings max] [--show-score] [--show-count]
                    [--author author]

    Fnord - Pattern Extractor for Obfuscated Code

    optional arguments:
      -h, --help            show this help message and exit
      -f file               File to process
      -m min                Minimum sequence length
      -x max                Maximum sequence length
      -t top                Number of items in the Top x list
      -n min-occ            Minimum number of occurrences to show
      -e min-entropy        Minimum entropy
      --strings             Show strings only
      --include-padding     Include 0x00 and 0x20 in the extracted strings
      --debug               Debug output

    YARA Rule Creation:
      --noyara              Do not generate an experimental YARA rule
      -s similarity         Allowed similarity (use values between 0.1=low and
                            10=high, default=1.5)
      -k keywords-multiplier
                            Keywords multiplier (multiplies score of sequences if
                            keyword is found) (best use values between 1 and 5,
                            default=2.0)
      -r structure-multiplier
                            Structure multiplier (multiplies score of sequences if
                            it is identified as code structure and not payload)
                            (best use values between 1 and 5, default=2.0)
      -c count-limiter      Count limiter (limts the impact of the count by
                            capping it at a certain amount) (best use values
                            between 5 and 100, default=20)
      --yara-exact          Add magic header and magic footer limitations to the
                            rule
      --yara-strings max    Maximum sequence length
      --show-score          Show score in comments of YARA rules
      --show-count          Show count in sample in comments of YARA rules
      --author author       YARA rule author

Getting Started

  1. git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
  2. pip3 install -r ./requirements.txt
  3. python3 ./fnord.py --help

Examples

python3 fnord.py -f ./test/wraeop.sct --yara-strings 10
python3 fnord.py -f ./test/vbs.txt --show-score --show-count -t 1 -x 20
python3 fnord.py -f ./test/inv-obf.txt --show-score --show-count -t 1 --yara-strings 4 --yara-exact

Screenshots

Fnord Screenshot

Fnord Screenshot

Fnord Screenshot

Warning

The folder ./test contains scripts that are malicious and may be detected by your local Antivirus scanner. They don't harm your system as long as you don't run them.

FAQs

Why didn't you integrate Fnord in yarGen?

yarGen uses a white-listing approach to filter the strings that are best for the creation of a YARA rule. yarGen applies some regular expressions to adjust scores of strings before creating the YARA rules. But its approach is very different to the method used by Fnord, which calculates the score of the byte sequences based on statistics.

While yarGen is best used for un-obfuscated code. Fnord is for obfuscated code only and should produce much better results than yarGen.

Contact

Follow me on Twitter for updates @cyb3rops

More Repositories

1

Loki

Loki - Simple IOC and YARA Scanner
Python
3,321
star
2

signature-base

YARA signature and IOC database for my scanners and tools
YARA
2,426
star
3

yarGen

yarGen is a generator for YARA rules
Python
1,518
star
4

auditd

Best Practice Auditd Configuration
1,448
star
5

Raccine

A Simple Ransomware Vaccine
C++
945
star
6

munin

Online hash checker for Virustotal and other services
Python
809
star
7

log4shell-detector

Detector for Log4Shell exploitation attempts
Python
729
star
8

Fenrir

Simple Bash IOC Scanner
Shell
680
star
9

yarAnalyzer

Yara Rule Analyzer and Statistics
Python
356
star
10

vti-dorks

Awesome VirusTotal Intelligence Search Queries
325
star
11

BlueLedger

A list of my personal projects
166
star
12

DLLRunner

Smart DLL execution for malware analysis in sandbox systems
Python
141
star
13

god-mode-rules

God Mode Detection Rules
YARA
129
star
14

YARA-Performance-Guidelines

A guide on how to write fast and memory friendly YARA rules
122
star
15

evt2sigma

Log Entry to Sigma Rule Converter
Python
104
star
16

yaraQA

YARA rule analyzer to improve rule quality and performance
Python
93
star
17

Cyber-Search-Shortcuts

Browser Shortcuts for Cyber Security Related Online Services
78
star
18

exotron

Sandbox feature upgrade with the help of wrapped samples
Python
75
star
19

Loki2

LOKI2 - Simple IOC and YARA Scanner
Rust
73
star
20

ImpHash-Generator

PE Import Hash Generator
Python
72
star
21

Rewind

Immediate Virus Infection Counter Measures
C#
62
star
22

radiocarbon

Leak File Analyzer
Python
62
star
23

tiny-shells

All kinds of tiny shells
59
star
24

panopticon

A YARA Rule Performance Measurement Tool
YARA
58
star
25

LOLSecIssues

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naivetΓ© in infosec is met with humor.
57
star
26

ti-falsepositives

A collection of typical false positive indicators
Python
54
star
27

webshell-intel

Scan web server for known webshell names and responses
50
star
28

xorex

XOR Key Extractor
Python
48
star
29

Talks

Slides of my public talks
46
star
30

cyber-chef-recipes

Recipes for GCHQ's CyberChef Web App
35
star
31

sysmon-version-history

An Inofficial Sysmon Version History (Change Log)
32
star
32

littlesnitch-log-exporter

LittleSnitch Log Statistics Exporter
Python
32
star
33

YARA-Style-Guide

A specification and style guide for YARA rules
32
star
34

SkeletonKeyScanner

Scanner for the SkeletonKey Malware
Python
30
star
35

ThreatResearch-Reporting-Guide

Offensive Research Guide to Help Defense Improve Detection
29
star
36

prisma

Command Line STDOUT Colorer
Python
29
star
37

ReginScanner

Scanner for Regin Virtual Filesystems
Python
26
star
38

space-id

Invisible Watermarks with Space Characters in ASCII Files
Python
22
star
39

neolog

Windows Syslog Command Line Client
15
star
40

narsil

Spy Agency Teasing
Python
14
star
41

yara-uuid-generator

A tool that adds reproducible UUIDs to YARA rules
Python
13
star
42

WPWatcher

Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email
Python
11
star
43

defensive-project-ideas

Ideas for projects for defensive research or blue teaming
10
star
44

agile-hacking

Collection of hacks that make use of the least available on victim systems
Visual Basic
8
star
45

CredsSpreader

A tool to spread canary credentials in your organisation
8
star
46

language-thor

Syntax Theme for THOR APT Scanner log files
5
star
47

yara-type-selectors

YARA rules to certain types of files without using YARA modules to avoid the performance impact
YARA
5
star
48

PassTweaker

Tweaks password files to match modern password requirements
Python
5
star
49

speedy

(Demo) - Only used to demonstrate a memory leak caused by Golang regexp
Go
4
star
50

loki-cloud

A flexible and lightweight way to execute LOKI on end systems
3
star
51

imphash-go

Imphash Generator
1
star